How to add Gcloud consoles' IPs into organization policy?

Question

I've had to add an organization policy that restricts access to the cloud for anyone. Only are allowed: the IP adresses that I've explicitely granted.

Example: Try to log in from an unauthorized external IP, you'll get a "Access blocked" screen when trying to access the organization via console.cloud.google.com .

The problem is now I cannot seem to make the simplest gcloud calls within the console.

For example: gcloud projects list returns:

ERROR: (gcloud.projects.list) UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
- '@type': type.googleapis.com/google.rpc.ErrorInfo
  metadata:
    method: google.cloudresourcemanager.v1.Projects.ListProjects
    service: cloudresourcemanager.googleapis.com
  reason: ACCESS_TOKEN_TYPE_UNSUPPORTED

via When I try to authenticate to the account that is owner on the organization via gcloud auth application-default login . I get

ERROR: Access was blocked due to an organization policy, please contact your admin to gain access.
ERROR: (gcloud.auth.application-default.login) (access_denied) Account restricted

Is this because the gcloud is called from the console, that has an external and/or internal IP that isn't listed in the organization policy?

How do i resolve this considering my organization policy? How do I determine which kind of IPs to allow (internal vs external)?

EDIT:

I have confirmed it is an IP blockage problem since I can call gcloud projects list within a local terminal of an authorized IP adress

Answer 1

Sounds like you might want to configure private google access seeing as you've implemented an org policy that restricts external access.

More info here: https://cloud.google.com/vpc/docs/configure-private-google-access .